TF Plan crashes when aws_wafregional_web_acl contains a rule group

[erikpaasonen]

Edit: added -auto-approve in the Steps to Reproduce.

Terraform Version

Terraform v0.11.5

• provider.aws v1.13.0

Affected Resource(s)

• aws_wafregional_web_acl

Terraform Configuration Files

resource "aws_wafregional_rule" "example" {
  name        = "example"
  metric_name = "example"
}

resource "aws_wafregional_rule_group" "example" {
  name        = "example_group"
  metric_name = "example"

  activated_rule {
    action {
      type = "COUNT"
    }

    priority = 50
    rule_id  = "${aws_wafregional_rule.example.id}"
  }
}

resource "aws_wafregional_web_acl" "waf_acl" {
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "ALLOW"
  }

  rule {
    action {
      type = "BLOCK"
    }

    priority = 1
    rule_id  = "${aws_wafregional_rule_group.example.id}"
  }
}

Debug Output

https://gist.github.com/erikpaasonen/2269f54f7d4317d41e38825bf6267c60

Panic Output

https://gist.github.com/erikpaasonen/e29967981728bf61ce1a9f8a956fd709

Expected Behavior

Terraform should cleanly delete the WebACL.

Actual Behavior

Observed Terraform crash, and the WebACL still exists in the AWS Console. It also still has the rule group attached.

Steps to Reproduce

1. terraform apply -auto-approve with the above code
2. Due to a separate bug, the rule group won't actually attach to the WebACL, so the above Apply step will fail. So go to the AWS Console and attach the rule group named "example_group" to the WebACL.
3. terraform destroy -auto-approve

Important Factoids

Support for the WAF Regional feature set was recently added to the AWS provider. This is likely just an oversight during initial implementation.

References

• WAF WebACL resources missing support for using Rule Groups #4052
• New Resource: aws_waf_rule_group #3898
• AWS Provider Enhancement -- Attach AWS WAF policies to ALBs #424

[erikpaasonen]

The separate bug mentioned in the second step to reproduce is #4078 just for xref.

[erikpaasonen]

Found that even a terraform plan crashes in this scenario, so this issue is not necessarily specific to the 'destroy' command. Step 3 could alternatively be:
terraform plan

[bflad]

This should be fixed with #5053 which was just merged into master and will release with version 1.27.0 of the AWS provider, likely middle of this week. 👍

[bflad]

This has been released in version 1.27.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!